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Abstract 

Abstraction (in its various forms) is a powerful established technique in model- 
checking; still, when unbounded data-structures are concerned, it cannot always cope 
with divergence phenomena in a satisfactory way. Acceleration is an approach which 
is widely used to avoid divergence, but it has been applied mostly to integer programs. 
This paper addresses the problem of accelerating transition relations for unbounded 
arrays with the ultimate goal of avoiding divergence during reachability analysis of ab- 
stract programs. For this, we first design a format to compute accelerations in this 
domain; then we show how to adapt the so-called 'monotonic abstraction' technique 
to efficiently handle complex formulee with nested quantifiers generated by the accel- 
eration preprocessing. Notably, our technique can be easily plugged-in into abstrac- 
tion/refinement loops, and strongly contributes to avoid divergence: experiments con- 
ducted with the MCMT model checker attest the effectiveness of our approach on pro- 
grams with unbounded arrays, where acceleration and abstraction/refinement tech- 
nologies fail if applied alone. 



1 Introduction 

Transitive closure is a logical construct that is far beyond first order logic: either infinite disjunctions or higher 
order quantifiers or, at least, fixpoints operators are required to express it. Indeed, due to the compactness 
of first order logic, transitive closure (even modulo the axioms of a first order theory) is first-order definable 
only in trivial cases. These general results do not hold if we define a theory as a class of structures '£ over 
a given signatured Such definition is different from the "classical" one where a theory is identified as a set 
of axioms. By taking a theory as a class of structures the property of compactness breaks, and it might well 
happen that transitive closure becomes first-order definable (the first order definition being valid just inside 
the class '€ - which is often reduced to a single structure). 

In this paper we consider the extension of Presburger arithmetic with free unary function symbols. Inside 
Presburger arithmetic, various classes of relations are known to have definable acceleration^ (see related work 
section below). In our combined setting, the presence of free function symbols introduces a novel feature 
that, for instance, limits decidability to controlled extensions of the quantifier-free fragment [15, 22]. In this 
paper we show that in such theory some classes of relations admit a definable acceleration. 

The theoretical problem of studying the definability of accelerated relations has an important application 
in program verification. The theory we focus on is widely adopted to represent programs handling arrays, 
where free functions model arrays of integers. In this application domain, the accelerated counterpart of 



^Such definition is widely adopted in the SMT literature [7]. 

■^'acceleration' is the name usually adopted in the formal methods literature to indicate transitive closure. 



relations encoding systems evolution (e.g., loops in programs) allows to compute 'in one shot' the reachable 
set of states after an arbitrary but finite number of execution steps. This has the great advantage of keeping 
under control sources of (possible) divergence arising in the reachability analysis. 

The contributions of the paper are many-fold. First, we show that inside the combined theory of Pres- 
burger arithmetic augmented with free function symbols, the acceleration of some classes of relations - cor- 
responding, in our application domain, to relations involving arrays and counters - can be expressed in first 
order language. This result comes at a price of allowing nested quantifiers. Such nested quantification can 
be problematic in practical applications. To address this complication, as a second contribution of the pa- 
per, we show how to take care of the quantifiers added by the accelerating procedure: the idea is to import 
in this setting the so-called monotonic abstraction technique [1, 2]. Such technique has been reinterpreted 
and analyzed in a declarative context in [5] : from a logical point of view, it amounts to a restricted form of 
instantiation for universal quantifiers. Third, we show that the ability to compute accelerated relations is 
greatly beneficial in program verification. In particular, one of the biggest problems in verifying safety prop- 
erties of array programs is designing procedures for the synthesis of relevant quantified predicates. In typical 
sequential programs (like those illustrated in Figurel), the guarded assignments used to model the program 
instructions are ground and, as a consequence, the formulae representing backward reachable states are 
ground too. However, the invariants required to certify the safety of such programs contain quantifiers. Our 
acceleration procedure is able to supply the required quantified predicates. Our experimentation attests that 
abstraction/refinement-based strategies widely used in verification benefit from accelerated transitions. In 
programs with nested loops, as the a 1 1 D i f f procedure of Figurel for example, the abUity to accelerate the 
inner loop simplifies the structure of the problem, allowing abstraction to converge during verification of the 
entire program. For such programs, abstraction/refinement or acceleration approaches taken in isolation are 
not sufficient, reachability analysis converges only if they are combined together. 

Related Work. To the best of our knowledge, the only work addressing the problem of accelerating relations 
involving arrays is [12]. Such approach seems to be unable to handle properties of common interest with 
more than one quantified variable (e.g., "sortedness") and is limited to programs without nested loops. Our 
technique is not affected by such limitations and can successfully handle examples outside the scope of [12] . 

Inside Presburger arithmetic, various classes of relations are known to have definable acceleration: these 
include relations that can be formalized as difference bounds constraints [14, 19], octagons [11] and finite 
monoid affine transformations [20] (paper [13] presents a general approach covering all these domains). Ac- 
celeration for relations over Presburger arithmetic has been also plugged into abstraction/refinement loop 
for verifying integer programs [16, 26] . 

We recall that acceleration has also been applied proficiently in the analysis of real time systems (e.g., [8, 
25]), to compactly represent the iterated execution of cyclic actions (e.g., polling-based systems) and address 
fragmentation problems. 

Our work can be proficiently combined with SMT-based techniques for the verification of programs, as 
it helps helps avoiding the reachability analysis divergence when it comes to abstraction of programs with 
arrays of unknown length. Since the technique mostly operates at pre-processing level (we add to the sys- 
tem accelerated transitions by collapsing branches of loops handling arrays), we believe that our technique is 
compatible with most approaches proposed in array-based software model checking. We summarize some of 
these approaches below, without pretending of being exhaustive. 

The vast majority of software model-checkers implement abstraction-refinement algorithms (e.g., [6, 18, 
24]). Lazy Abstraction with Interpolants [30] is one of the most effective frameworks for unbounded reach- 
ability analysis of programs. It relies on the availability of interpolation procedures (nowadays efficiently 
embedded in SMT-Solvers [17]) to generate new predicates as (quantifier-free) interpolants for refining in- 
feasible counterexamples. 

For programs with arrays of unknown length the classical interpolation-based lazy abstraction works only 
if there is a support to handle quantified predicates [3] (the approach of [3] is the basis of our experiments be- 
low). Effectiveness and performances of abstraction/ refinement approaches strongly depend on their ability 
in generating the "right" predicates to stop divergence of verification procedures. In case of programs with 
arrays, this quest can rely on ghost variables [21] retrieved from the post-conditions, on the backward prop- 
agation of post-conditions along spurious counterexamples [33] or can be constraint-based [9, 34] . Recently, 
constraint-based techniques have been significantly extended to the generation of loop invariants outside the 
array property fragment [29] . This solution exploits recent advantages in SMT-Solving, namely those devoted 
to finding solutions of constraints over non-linear integer arithmetic [10]. Other ways to generate predicates 
are by means of saturaft'on-tesed theorem provers [28,31] or interpolation procedures [3,27]. 



function allDlf f ( int a[N] ) : function Reverse ( int I[N+ 1]; int 0[N+ 1]; int c ) : 

1 r = true; 1 c = 0; 

2 for(i = l; i<NAr;l++) 2 while (c 7^ /V+ 1) lD[c] = I[JV- c];c++;} 

3 for(j=i-l;j >OAr;j--) fVx>0,y>0 

3 assert 

4 if(a[i] = a[jl)r = false; 1^ U+y =N^ IW = 0[y] ) 

rVx,y(0<j:<y <Ny 

5 assert I r— > I 

^(alx]7^a[y]) 



1) 



(a) (b) 

Figure 1: Motivating examples. 

All the aforementioned techniques suffer from a certain degree of randomness due to the fact that de- 
tecting the "right" predicate is an undecidable problem. For example, predicate abstraction approaches 
(i.e., [3, 4, 33]) fail verifying the procedures in Figurel, which are commonly considered to be challenging 
for verifiers because they cause divergence^. Acceleration, on the other side, provides a precise and system- 
atic way for addressing the verification of programs. Its combination, as a preprocessing procedure, with 
standard abstraction-refinement techniques allows to successfully solve challenging problems like the ones 
in Figurel. 

The paper is structured as follows: Section 2 recalls the background notions about Presburger arithmetic 
and extensions. In order to identify the classes of relations whose acceleration we want to study, we are 
guided by software model checking applications. To this end, we provide in Section 3 classification of the 
guarded assignments we are interested in. Section 4 demonstrates the practical application of the theoretical 
results. In particular, it presents a backward reachability procedure and shows how to plug acceleration with 
monotonic abstraction in it. The details of the theoretical results are presented later. The main definability 
result for accelerations is in Section 6, while Section 5 introduces the abstract notion of an iterator. Section 7 
discusses our experiments and Section 8 concludes the paper. 

2 Preliminaries 

We work in Presburger arithmetic enriched with free function symbols and with definable function symbols 
(see below); when we speak about validity or satisfiability of a formula, we mean satisfiability and validity in 
all structures having the standard structure of natural numbers as reduct. Thus, satisfiability and validity are 
decidable if we limit to quantifier-free formulae (by adapting Nelson-Oppen combination results [32,35]), but 
may become undecidable otherwise (because of the presence of free function symbols). 

We use x,y,z,... or i,], k,... for variables; t,u,... for terms, c,d,... for free constants, a,b,... for free 
function symbols, (p,ip,... for quantifier- fl-ee formulae. Bold letters are used for tuples and | — | indicates 
tuples length; hence for instance u indicates a tuple of terms like Ui,..., u^, where m — |u| (these tuples 
may contain repetitions). For variables, we use underline letters x^,y ,...,[,],... to indicates tuples without 
repetitions. Vector notation can also be used for equalities: if u = Wi, . . . , u„ and v = Vi,...,Vn, we may use 
u = V to mean the formula /\"^j Uj — Vi. 

If we write f(xi,...,x„),u(xi,...,jc„),0(xi,...,x„) (or f(x),u(x), 0(x), ..., in case x — X\,...,x„), we mean 
that the term t, the tuple of terms u, the quantifier- free formula contain variables only from the tuple 
Xi,...,x„. Similarly, we may use f(a,c,x), 0(a,c,x), ... to mean both that the term t or the quantifier-free 
formula have free variables included in x and that the free function, free constants symbols occurring 
in them are among a,c. Notations like f(u/x), 0(u/x), ... or f(Mi/xi,...,M„/x„), 0(mi/xi,..., m„/x„), ... - or 
occasionally just f(u), 0(u), ... if confusion does not arise - are used for simultaneous substitutions within 
terms and formulas. For a given natural number n, we use the standard abbreviations h and n*y to denote 
the numeral of n (i.e. the term 5"(0), where s is the successor function) and the sum of n addends all equal 
to y, respectively. If confusion does not arise, we may write just n for h. 

By a definable fimction symbol, we mean the following. Take a quantifier-free formula (pU<y) such that 
Vj3!y0(j,y) is valid (3!y stands for 'there is a unique y such that ...'). Then a definable function symbol 



''The procedure Reverse outputs to the airay the reverse of the array I; the procedure allDif f checks whether the entries 
of the array a are all different. Many thanks to Madhusudan Parthasarath and his group for pointing us to challenging problems with 
arrays of unknown length, including the a 1 1 D i f f example. 



F (defined by 0) is a fresh fiinction symbol, matching the length of 7 as arity which is constrained to be 
interpreted in such a way that the formula Vy.F^) — y^^^4>[j,y) is true. The addition of definable function 
symbols does not affect decidability of quantifier-free formulae and can be used for various purposes, for 
instance in order to express directly case-defined functions, array updates, etc. For instance, if a is a unary 
free function symbol, the term wr[a, i,x) (expressing the update of the array a at position / by over-writing 
x) is a definable function; formally, we have 7 :— i,x,j and0(7,y)isgivenby(7 = i Ay =x)V(7 / /Ay — a{j)]. 
This formula 4>ij,y) (and similar ones) can be abbreviated like 

y — (if j — i then x else a[i)) 

to improve readability. Another useful definable function is integer division by a fixed natural number n: to 
show that integer division by n is definable, recall that in Presburger arithmetic we have that Vx 3!y V^^o (^ ~ 
n*y + r) is valid. 

3 Programs representation 

As a first step towards our main definability result, we provide a classification of the relations we are interested 
in. Such relations are guarded assignments required to model programs handling arrays of unknown length. 
In our framework a program S? is represented by a tuple (v, //,/£, J\, the tuple v := a, c, pc models system 
variables; formally, we have that 

- the tuple a =«!,..., flj contains free unary function symbols, i.e., the arrays manipulated by the program; 

- the tuple c—Ci,...,Ct contains free constants, i.e., the integer data manipulated by the program; 

- the additional free constant p c (called program counter) is constrained to range over a finite set L = { /i , ..., Z„ } 

ol program /ocafto«5 over which we distinguish the initial and error locations denoted by Z/ and Ie, re- 
spectively. 

r is a set of finitely many formulae {ti(v,v'), . . . , Tr(v, V)} called transition formulceiepiesenting the program's 
body (here V are renamed copies of the v representing the next-state variables). 3^ — (v, //, Ie, T) is safe iff 
there is no satisfiable formula like 

(pC°=/,)AT,-,(v°,vl)A---AT,„(v^-l,V^)A(pc'^ = /£) 

where V*', . . . , v^ are renamed copies of the v and each t,,, belongs to T. 
Sentences denoting sets of states reachable by i3^ can be: 

- growwrf sentences, i.e., sentences of the kind 0(c, a, pc); 

- Y.1-sentences, i.e., sentences of the form 3/. 0(/,a,c, pc); 

- T.2-sentences, i.e., sentences of the form B^V;. (p[i,j,a,c,pc). 

We remark that in our context satisfiability can be fully decided only for ground sentences and Ej -sentences 
(by Skolemization, as a consequence of the general combination results [32, 35]), while only subclasses of 
Ej-sentences enjoy a decision procedure [15, 22]. Transition formulae can also be classified in three groups: 

- ground assignments, i.e., transitions of the form 

pc-l A 0L(c,a) A pc'-V A a' = A;.G(c,a,;) A d-H(c,a) (1) 

- T.° -assignments, i.e., transitions of the form 

f pc — l A 0l(c, a,A;) A pc' — I' f\ \ 

zi/C I , , I (2) 

- \^a' = A7.G(c,a,fc,;) A c' = H(c,a,fc)j 

- T.2-assignments, i.e., transitions of the form 

f pc — I A d)i{c,a,k) /\ Wj tbii{c,a.,k,j) /\ ^ 
3fc " " (3) 

~ \pc' = l' A a' = A;.G(c,a,fc,7)A c' = H(c,a,fc)/ 



where G — G\, . . . ,Gs, H — Hi, . . . ,Ht are tuples of definable functions (vectors of equations like a' — Xj . G(c, a, kj ) 
can be replaced by the corresponding first order sentences Vj. /\;j^j '^10) — Gh{c, a,k_,j]). 

The composition T I 0T2 of two transitions Ti(v,v') and T2(v,v') is expressed by the formula 3vi(ti(v,Vi) A 
T2(vi, V)) (notice that composition may result in an inconsistent formula, e.g., in case of location mismatch). 
The preimage Pre{T,K)of the set of states satisfying the formula ^(v) along the transition t(v, V) is the set of 
states satisfying the formula 3v'(t(v, v^) A ^(v')). The following proposition is immediate by straightforward 
syntactic manipulations: 

Propositions.!. LetT,Ti,T2 be transition formulce and let K{y) be a formula. We have that: (i) ifTi,T2,T,K 
are ground, then Ti o T2 is a ground assignment and Pre(T, K) is a ground formula; (ii) j/ti, T2, t, K are E°, 
then Ti o T2 is a Ej -assignment and Pre{T, K) is a Ej -sentence; (iii) if t 1,1:2, t, K are E", then Ti o T2 is a E" - 
assignment and Pre{z,K) isa E" -sentence. 

4 Backward search and acceleration 

This section demonstrates the practical applicability of the theoretical results of the paper in program ver- 
ification. In particular, it presents the application of the accelerated transitions during reachability analy- 
sis for guarded-assignments representing programs handling arrays. For readability, we first present a basic 
reachability procedure. We subsequently analyze the divergence problems and show how acceleration can be 
applied to solve them. Acceleration application is not straightforward, though. The presence of accelerated 
transitions might generate undesirable E^-sentences. The solution we propose is to over- approximate such 
sentences by adopting a selective instantiation schema, known in literature as monotonic abstraction. An 
enhanced reachability procedure integrating acceleration and monotonic abstraction concludes the Section. 
The methodology we exploit to check safety of a program ^ — (v, Ij,Ie, T) is backward search: we succes- 
sively explore, through symbolic representation, all states leading to the error location Ie in one step, then in 
two steps, in three steps, etc. until either we find a fixpoint or until we reach //. To do this properly, it is con- 
venient to build a tree: the tree has arcs labeled by transitions and nodes labeled by formulae over v. Leaves 
of the tree might be marked 'checked', 'unchecked' or 'covered'. The tree is built according to the following 
non-deterministic rules. 

Backward Search 

Initialization: a single node tree labeled hy pc — Ie and is marked 'unchecked'. 

Check: pick an unchecked leaf L labeled with K. If K /\pc = li is satisfiable ('safety test'), exit and return 
unsafe. If it is not satisfiable, check whether there is a set S of uncovered nodes such that (i) L ^ S and (ii) 
K is inconsistent with the conjunction of the negations of the formulse labeling the nodes in S ('fixpoint 
check') . If it is so, mark L as 'covered' (by S) . Otherwise, mark L as 'checked'. 

Expansion: pick a checked leaf L labeled with K. For each transition t, e T, add a new leaf below L labeled 
with Pre(Ti,L) and marked as 'unchecked'. The arc between L and the new leaf is labeled with t,. 

Safety Exit: if all leaves are covered, exit and return safe. 

The algorithm may not terminate (this is unavoidable by weU-known undecidability results). Its correctness 
depends on the possibility of discharging safety tests with complete algorithms. By Proposition 3.1, if tran- 
sitions are ground- or E" -assignments, completeness of safety tests arising during the backward reachability 
procedure is guaranteed by the fact that satisfiability of E° -formulae is decidable. For fixpoint tests, sound but 
incomplete algorithms may compromise termination, but not correctness of the answer; hence for fixpoint 
tests, we can adopt incomplete pragmatic algorithms (e.g. if in fixpoint tests we need to test satisfiability 
of Eg -sentences, the obvious strategy is to Skolemize existentially quantified variables and to instantiate the 
universally quantified ones over sets of terms chosen according to suitable heuristics) . To sum up, we have: 

Proposition 4.1. The above Backward Search procedure is partially correct for programs whose transitions 
are T.^ -assignments, i.e., when the procedure terminates it gives a correct information about the safety of the 
input program. 

Divergence phenomena are usually not due to incomplete algorithms for fixpoint tests (in fact, divergence 
persists even in cases where fixpoint tests are precise). 



Example 4.1. Consider a running example in Figure 1 (b) : it reverses the content of the array I into . In our formalism, 
it is represented by the following transitions^: 

Ti= pc = lApc' = 2Ac' = 

T2=pc = 2Ac^Ar+lAc' = c + lAO' = M/ r(0, c, I(N - c)) 

T3= pc = 2Ac = Ar+lApc' = 3 

Ti= pC = 3A3Zi>0,Z2>0iZi+Z2=NAl{Zi]^ 0{Z2] ) Ape' = 4. 

Notice that Ti — T3 all are ground assignments; only T4 (that translates the error condition) is a Sj-assignment. If we 
apply our tree generation procedure, we get an infinite branch, whose nodes - after routine simplifications - are labeled 
as follows 

[Ki] Tpc-2A3zi,Z2ipizi,Z2)Ac = N-iAZ2^NA---AZ2i^N-i 

where ip{zi,Z2) stands for Zi >0AZ2>0Azi+Z2 — N Al[zi)^0{z2). □ 

As demonstrated by the above example, a divergence source comes from the fact that we are unable to 
represent in one shot the effect of executing finitely many times a given sequence of transitions. Acceleration 
can solve this problem. 

Delinition 4.1. The «-th composition of a transition t(v, V) with itself is recursively defined by t^ := t and 

t"+i := to t". The acceleration t+ of t is \/n>i '^"■ 

In general, acceleration requires a logic supporting infinite disjunctions. Notable exceptions are wit- 
nessed by Theorem 6.1. For now we focus on examples where accelerations yield Eg-assignments starting 
from ground assignments. 

Example 4.2. Recall transition T2 from the running example. 

T2=pc = 2AC7^Ar-|-lApc' = 2Ac' = c-|-lA7' = /AO'=ii' r[0, c, I[N - c)) 

(here we displayed identical updates for completeness). Notice that the variable pc is left unchanged in this transition 
(this is essential, otherwise the acceleration gives an inconsistent transition that can never fire). If we accelerate it, we get 
the S" -assignment^ 

f pc-2Ayj[c<j<c + n^jjtN+l]Ac'-c + nA \ 

3«>0 (4) 

\^ A pc = 2 A O = Aj (if c < 7 < c -I- « then I{N-j) else OU))J 

D 
In presence of these accelerated E" -assignments. Backward Search can produce problematic E^-sentences 

(see Proposition 3.1 above) which cannot be handled precisely by existing solvers. As a solution to this prob- 
lem wepropose applyingto such sentences a suitable abstraction, namely monotonic abstraction. 
Definition 4.2. Let ip ■.= diij. (pUJ ,a,c,pc) be aEg-sentences and let 5^ be a finite set of terms of the kind 

t(£,v). The monotonic ^ -approximation ofip is the Ej-sentence 

31 A 0(i'io'/;,a,c,pc) (5) 

(here ja, if 7 — ji,.. .Jny is the tuple of terms cr{ji), ..., a{j„y}. 

By Definition 4.2, universally quantified variables are eliminated through instantiation; the larger the set 
5^ is, the better approximation you get. In practice, the natural choices for 5^ are i or the set of terms of the 
kind f(/,v) occurring in i/i (we adopted the former choice in our implementation). As a result of replacing 
E^-sentences by their monotonic approximation, spurious unsafe traces might occur. However, those can be 
disregarded if accelerated transitions contribute to their generation. This is because if S^ is unsafe, then 
unsafety can be discovered without appealing to accelerated transitions. 

To integrate monotonic abstraction, the above Backward Search procedure is modified as follows. In a 
Preprocessing step, we add some accelerated transitions of the kind (ti o • • • o t„)+ to T. These transitions 



*For readability, we omit identical updates like /' = /, etc. Notice that we have // = 1 and /s = 4. 

^This Ej -assignment can be automatically computed using procedures outlined in the proof of Theorem 6.1. 



can be found by inspecting cycles in the control flow graph of the program and accelerating them follow- 
ing the procedure described in Sections 5, 6. The natural cycles to inspect are those corresponding to loop 
branches in the source code. It should be noticed, however, that identifying the good cycles to accelerate 
is subject to specific heuristics that deserve separate investigation in case the program has infinitely many 
cycles, (choosing cycles from branches of innermost loops is the simplest example of such heuristics and the 
one we implemented). 

After this extra preprocessing step, the remaining instructions are left unchanged, with the exception of 
Check that is modified as follows: 

Check': pick an unchecked leaf L labeled by a formula K. If ^ is a E^-sentence, choose a suitable 5^ and 
replace K by its monotonic 5^ -abstraction K'. If K' /\pc — Ij is inconsistent, mark L as 'covered' or 
'checked' according to the outcome of the fixpoint check, as was done in the original Check. If 7<r'Apc = 
// is satisfiable, analyze the path from the root to L. If no accelerated transition t+ is found in it return 
unsafe, otherwise remove the sub-tree D from the target of t+ to the leaves. Each node N covered by a 
node in D will be flagged as 'unchecked' (to make it eligible in future for the Expansion instruction). 

The new procedure will be referred as Backward Search'. It is quite straightforward to see that Proposition 4.1 
still applies to the modified algorithm. Notice that, although termination cannot be ensured (given well- 
known undecidability results), spurious traces containing approximated accelerated transitions cannot be 
produced again and again: when the sub-tree D from the target node v of t+ is removed by Check', the node 
V is not a leaf (the arcs labeled by the transitions t are still there), hence it cannot be expanded anymore 
according to the Expansion instruction. 

Example 4.3. Let again consider our running example and demonstrate how acceleration and monotonic abstraction 
work. In the preprocessing step, we add the accelerated transition t^ given by (4) to the transitions we already have. After 
having computed [K'] = Pr e{T4, K), [K") = Pre(T3,K'), we compute (_£) = Pre{T2, K") and get 

f Tpc = 2 A\^j (_c<j <c+n^j ^N+l)A \ 

3n>03zi,Z2 A c-|-« = iV-l-l Azi>0AZ2>0Azi-|-Z2 = AfA 

^A/(zi)7^A7 (if c<7 <c-|-« then /(iV-j) else 0(;))(z2)^ 

We approximate using the set of terms y ={zi,Z2,n}. After simplifications we get 

3zi,Z2(pc = 2 A c<Ar Azi>0 A Z2>0 A Zi-|-Z2 = Af A 0(22)7^/(21) A c> Z2) 

Generating this formula is enough to stop divergence. D 

Notice that in the computations of the above example we eventually succeeded in eliminating the extra 
quantifier 3 n introduced by the accelerated transition. This is not always possible: sometimes in fact, to get 
the good invariant one needs more quantified variables than those occurring in the annotated program and 
accelerated transitions might be the way of getting such additional quantified variables. As an example of 
this phenomenon, consider the init+test program included in our benchmark suite of Section 7 below. 

5 Iterators 

This Section introduces iterators and selectors, two main ingredients used to supply a useful format to com- 
pute accelerated transitions. Iterators are meant to formalize the notion of a counter scanning the indexes 
of an array: the most simple iterators are increments and decrements, but one may also build more complex 
ones for different scans, like in binary search. We give their formal definition and then we supply some exam- 
ples. We need to handle tuples of terms because we want to consider the case in which we deal with different 
arrays with possibly different scanning variables. Given a m -tuple of terms 

u(x) := Ui(xi,...,x„),...,u,„(xi,...,x„) (6) 

containing the m variables x = Xi , . . . , x^ , we indicate with u" the term expressing the «-times composition 
of (the function denoted by) u with itself. Formally, we have u''(x) :— x and 

u"+Hx):= Mi(u"(x)),...,M„(u"(x)). 



Definitioii 5.1. A tuple of terms u like (6) is said to be an iterator iff there exists an m -tuple of m + 1-ary 
terms u*{x,y) :— u*{xi,...,Xm,y),...,u* (xi,...,Xm,y) such that for any natural number n it happens that 
the formula 

u"ix)^u*[x,n) (7) 

is valid.^ Given an iterator u as above, we say that an m-ary term K{xi,...,Xm)is aseZectorforu iff there is an 
m + 1-ary term t(xi, . . . ,Xm,y) yielding the validity of the formula 

z — K{u*{x^,yJ)—>y=L{x,z] . (8) 

The meaning of condition (8) is that, once the input x and the selected output z are known, it is possible to 
identify uniquely (through t) the number of iterations y that are needed to get z by applying k to u*(x,y ). The 
term «■ is a selector function that selects (and possibly modifies) one of the u; in most applications (though 
not always) k is a projection, represented as a variable x, (for 1 < / < m), so that K"(u*(x,y)) is just the i-th 
component u*^{x,y) of the tuple of terms u*(x,y). In these cases, the formula (8) reads as 

z = u*(x,y)— >y = t(x, z) . (9) 

Example 5.1. The canonical example is when we have m = 1 andu:= Mi(xi):=Xi -hi; this is an iterator with u*{xi,y]:= 
Xi -hy; as a selector, we can take 7c(xi):=Xi andi,(xi,z):=z — Xi. D 

Example 5.2. The previous example can be modified, by choosing u to be Xi -H «, for some integer n^O: then we have 
M*(xi,y) := X-1 + n*y, k{xi] := Xi, and t(xi,z) = (z — Xi)//« (here // is integer division, recall that integer division by a 
given n is definable in Presburger arithmetic). D 

Example 5.3. If we move to more expressive arithmetic theories, like Primitive Recursive Arithmetic (where we have a 
symbol for every primitive recursive function) , we can get much more examples. The following example arises in a branch 
ofbinary search algorithms. Takeu:=Xi//2; weget M*(xi,y) = Xi//2>', k"(xi) :=Xi, t(xi,z):= [log2(xi/z)J. D 

Example 5.4. As an example with m > 1, we can take u:=Xi +X2,X2 and get u*{xi,X2,y) = Xi+y *X2, u*{xi,X2,y] = Xz. 
Here a selector is for instance k'i(xi,X2):=7 + Xi, t(xi,X2,z) :={z — Xi — 7)//x2. □ 

6 Accelerating local ground assignments 

Let's turn to our program 3^ — (v, IjJe, T]; we look for conditions on transitions from T allowing to accelerate 
them via a E^-assignment. Given an iterator u(x), a selector assignment for a:— ai,...,as (relative to u) is 
a tuple of selectors k :— /Ci, . . . , Kj for u. Intuitively, the components of the tuple are meant to indicate the 
scanners of the arrays a and as such might not be distinct (although, of course, just one selector is assigned 
to each array) . A formula ip (resp. a term t) is said to be purely arithmetical over a finite set of terms V iff it is 
obtained from a formula (resp. a term) not containing the extra free function symbols a, c by replacing some 
free variables in it by terms from V. Let v—Vi,...,Vs and w = u/i , . . . , if j be s -tuples of terms; below w r(a, v, w) 
and a(v) indicate the tuples wr{ai,Vi,Wi),...,wrias,Vs,ii^s) and aiivi),...,as{_Vs), respectively (recall from 
Section 3 that 5 = |a|). 

Definition 6.1. A local ground assignment is a ground assignment of the form 

pc-l A 0L(c,a) A pc'-l A a'= If r(a,K-(c),t(c,a)) A c'=u(c) Ad' = d (10) 

where (i) c = c, d; (ii) u is an iterator for c; (iii) the terms k are a selector assignment for a relative to u; (iv) the 
formula 0i(c, a) and the terms t(c, a) are purely arithmetical over the set of terms {c, a{K{c)]}L){ai{dj)]i<i<s,i<j<\d\', 
(v) the guard 0£ contains the conjuncts ^,(5) / dj, for 1 < / < |c| and 1 < 7 < |d|. 

Thus in a local ground assignment, there are various restrictions: (a) the numerical variables are split into 
'idle' variables d and variables c subject to update via an iterator u; (b) the program counter is not modified; 
(c) the guard does not depend on the values of the at at cells different from K',(c),d; (d) the update of the a 
are simultaneous writing operations modifying only the entries k{c). Thus, the assignment is local and the 
relevant modifications it makes are determined by the selectors locations. The 'idle' variables d are useful to 
accelerate branches of nested loops; the inequalities mentioned in (v) are automatically generated by making 
case distinctions in assignment guards (see Appendbc B for an example on how all this works in practice). 



^Recall that n is the numeral of n, i.e. it is s"(0). 



Example 6.1. For our running example, we show that transition t-z (the one we want to accelerate) is a local ground 
assignment. We have d = and c = c and a = /, O. The counter c is incremented by 1 at each application of T2. Thus, our 
iterator is u := Xi + 1 and the selector assignment assigns Ki := AT — Xi to / and K2 := Xi to O. In this way, / is modified 
(identically) at AT— c via I' = wr{I,N — c,/(iV— c)) and O is modified at c via O' = wr[0,c,I[N — c)). The guard T2 is 
c ^ JV + 1. Since the formula cj^N + l and the term /(W — c) are purely arithmetical over {c, I{N — c), 0(c)}, we conclude 
that T2 is local. D 

Theorem 6.1. I/t isa local ground assignment, thewv^ is aH^-assignment. 

Proof. (Sketch, see Appendix A for full details). Let us fix the local ground assignment (10); let a[d] indicate 
the s *|d|-tuple of terms {a i{d j)] i<i<s,i<j<\d\', since 0i and t are purely arithmetical over {c,d,a(7c(c)),a[d]}, 
we have that they can be written as 0^(5, d,a(K-(c)),a[d]), t(c, d,a(R-(c)),a[d]), respectively, where (pi,i do not 
contain occurrences of the free function and constant symbols a, c. The transition t+ can be expressed as a 
E^- assignment by 

rVz(0<z<y^^i(u*(c,z),d,a(K(u*(c,z))),a[d])Ad' = dA 
3y > 

\^ Apc — l/\pc—lAc =u*(c,y) A a = A7. F(c, a,y,7) 

where the tuple F — Fi,...,Ps of definable functions is given by 

F;,(c,a,y,7) = Xj. if 0<tft(c,7)<y A; =^:;,(u*(c,t;,(c,7))) then 
fft(u*(c,tft(c,7)),d,a(?c(u*(c,tft(c,7)))),a[d])elsefl;J;] 

for h — \,...,s (here ti, . . . , tj are the terms corresponding toK\,...,Ks according to the definition of a selector 
for the iterator u) . D 

We point out that the effective use of Theorem 6. 1 relies on the implementation of a repository of iterators 
and selectors and of algorithms recognizing them. The larger the repository is, the more possibilities the 
model checker has to exploit the full power of acceleration. 

In most applications it is sufficient to consider accelerated transitions of the canonical form of Exam- 
ple 5.1. Let's examine in details this special case; here c is a single counter c that is incremented by one 
(otherwise said, the iterator is Xi + 1) and the selector assignment is trivial, namely it is just Xi . We call these 
local ground assignments simple. Thus, a simple local ground assignment has the form 

pc — lh (pi[c,a) A pc' = /Ac' = c + l A a' — wr[a,c,t{c,a)) (11) 

where the first occurrence of c in wr(a, c,t(c,a)) stands in fact for an 5 -tuple of terms all identical to c, and 
where 0i,t are purely arithmetical over the terms c, ai[c],...,as[c]. The accelerated transition computed in 
the proof of Theorem 6.1 for (11) can be rewritten as follows: 

f fc>0 A pc = Z A V/ (c< / <c + k—>(biU,a)] A pc' -I a\ 
3k\ , , J ^ -J v-Lv./ p ^^2) 

\^Ac=c + fcAa =A7.(if c <7 <c + A; then tQ', a) else a[j]]j 

A slight extension of the notion of a simple assignment leads to simple+- assignments: these are local ground 
assignments useful to accelerated branches of nested loops and are introduced in Appendix B below. 

7 Experimental evaluation 

We implemented the algorithm described in Section 4 - 6 as a preprocessing module inside the mcmt model 
checker [23] . To perform a feasibility study, we intentionally focused our implementation on simple and sim- 
ple+ local ground assignments. For a thorough and unbiased evaluation we compared/combined the new 
technique with an abstraction algorithm suited for array programs [3] implemented in the same tool. This 
section describes benchmarks and discusses experimental results. A clear outcome from our experiments is 
that abstraction/refinement and acceleration techniques can be gainfully combined. 

Benchmarks. We evaluated the new algorithm on 55 programs with arrays, each annotated with an assertion. 
We considered only quantifier-free or V-assertions. Our set of benchmarks comprises programs used to eval- 
uate the Lazy Abstraction with Interpolation for Arrays framework [4] and other focused benchmarks where 
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Figure 2: Comparison of time for different options of Backward Search. Stars and circles represent buggy and correct 
programs respectively. 

abstraction diverges. These are problems involving array manipulations as copying, comparing, searching, 

sorting, initializing, testing, etc. About one third of the programs contain bugs.^ 

Evaluation. Experiments have been run on a machine equipped with a i7@2.66 GHz CPU and 4GB of RAM 

running OS X. Time limit for each experiment has been set to 60 seconds. We run mcmt with four different 

configurations: 

• Backward Search - mcmt executes the procedure described at the beginning of Section 4. 

• Abstraction - mcmt integrates the backward reachability algorithm with the abstraction/refinement 

loop [3]. 

• Acceleration - The transition system is pre-processed in order to compute accelerated transitions 
(when it is possible) and then the Backward Search' procedure is executed. 

• Accel. + Abstr. - This configuration enables both the preprocessing step in charge of computing 
accelerated transitions and the abstraction/refinement engine on the top of the Backward Search' 
procedure. 

The complete statistics can be found in Appendix C. In summary, the comparative analysis of timings pre- 
sented in Figure2 confirms that acceleration indeed helps to avoid divergence for problematic programs 
where abstraction fails. The first comparison (Figure2(a)) highlights the benefits of using acceleration: Back- 
ward Search diverges on all 39 safe instances. Acceleration stops divergence in 23 cases, and moreover the 



^The set of benchmarks can be downloaded from http : //www . inf . usi . ch/phd/alberti/pr j/acc; the toolset mcmt 
is available at http : //users .mat .unimi . it /users /ghilardi /mcmt/. 
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overhead introduced by the preprocessing step does not affect unsafe instances. Figure2(b) shows that ac- 
celeration and abstraction are two complementary techniques, since mcmt times out in both cases but for 
two different sets of programs. Figure2(c) and Figure2(d) attest that acceleration and abstraction/refinement 
techniques mutually benefit from each other: with both techniques mcmt solves all the 55 benchmarks. 

8 Conclusion and Future Work 

We identified a class of transition relations involving array updates that can be accelerated, showed how it is 
possible to compute the accelerated transition and describe a solution for dealing with universal quantifiers 
arising from the acceleration process. Our paper lays theoretical foundations for this interesting research 
topic and confirms by our prototype experiments on challenging benchmarks its advantages over stand- 
alone verification approaches since it's able to solve problems on which other techniques fail to converge. 

As future directions, a challenging task is to enlarge the definability result of Theorem 6.1 so as to cover 
classes of transitions modeling more and more loop branches arising from concrete programs. In addition, 
one may want to consider more sophisticated strategies for instantiation in order to support acceleration. 
Considering increasing larger S/' or handling Ej-sentences when they belong to decidable fragments [15, 22] 
may lead to further improvements. 
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A Proof of Theorem 6.1 

In this technical Appendix, we supply the proof of Theorem 6. 1 . 

Proof. As a preliminary ohservation, we notice that the bi-implications of the kind 

{\/iP[x,n)]^3yiy>0MP[x,y)). (13) 

n>0 

are valid because we interpret our formulae in the standard structure of natural numbers {enriched with extra 
free symbols). 

As a second preliminary observation, we notice that (8) can be equivalently re-writtem in the form of a 
bi-implication as: 

z — K[u*{x,y]) <^-> [y —l{x,z) A z = k{u*[x,l[x,z])]] (14) 

(to see why (14) is equivalent to (8) it is sufficient to apply the logical laws of pure identity). 

Let us fix a local ground assignment of the form (10); let a[d] indicate the 5*|d| -tuple of terms {fl,(rfj)li<,<s,i<j<|d]; 
since (pi and t are purely arithmetical over {c, d, a()c(c)), a[d]}, we have that they can be written as ^i,(c, d, a(K'(c)), a[d]), 
t(c, d, a(K(c)), a[d]), respectively, where (pi, t do not contain occurrences of the free function and constant sym- 
bols a, c. 

Claim. As a first step, we show by induction on n that t" can be expressed as follows (we omit here and 
below the conjuncts pc — l/\pc' = l/\d' — d that do not play any role) 

/\ 0i(u*(c,fc),d,a(K(u*(c,fc))),a[d]) A c'=u*(c,n) A a' ^Xj. F{c,a,n,j) (15) 

Q<k<n 

where the tuple P — Fi,...,Fs of definable functions is given by^ 



Fhic,a,y,j] = Xj. if 0<tft(c,7)<y A; =;Cft(u*(c,th(c,j)))then 
fft(u*(c,t;,(c,7)),d,a(?c(u*(c,tft(c,7)))),a[d])elsefl;J7] 



(16) 



for h — l,...,s (here ti,...,ts are the terms corresponding to Ki,...,Ks according to the definition of a selector 
for the iterator u). 

Proof of the Claim. For n = 1, notice that ^i(u*(c, 0), d, a(K'(u*(c, 0))), a[d]) is equivalent to (pi{c, d, a( «•(£)), a[d]), 
that c' = u*(c, I) is equivalent to c' = u(c) and that A7. F(c, d,a, 1,7')= wr(a, K'(c),t(c,d, a( «•(£)), a[d])) holds (the 
latter because for every h, Li,{c,j) — 0/\j — k';,(u*(c, ihicj)) is equivalent to j — k';,(u*(c, 0)) — Kk{c) by (14)). 

For the induction step, we suppose the Claim holds for n and show it for « + 1. As a preliminary remark, 
notice that from (10), we get not only d' — d, but also a'[d'] = a[d], because of (v) of Definition 6.1. As a 
consequence, after n iterations of t, the values d, a[d] are left unchanged; thus, for notation simplicity, we 
will not display anymore below the dependence of (pi,t on d,a[d]. We need to show that tot" matches 
the required shape (15)-(16) with n + 1 instead of n. After unraveling the definitions, this splits into three 
sub-claims, concerning the update of the c, the guard and the update of the a, respectively: 



(i) the equality u(u*(c, n)) — u*(c, n + l)is valid; 

(ii) 

/\ 0L(u*(c,fc),a(;c(u*(c,fc)))) A 0i(u*(c,n),A7. F(c,a,n,;)(K(u*(c,n)))) 

0<J:<7i 

is equivalent to 

/\ 0i(u*(c,fc),a(K-(u*(c,fc)))); 

0<*:<n+l 



(iii) wr[?ij.F{c,a, n,j),K{u*{c, n)),t{u*(c, n),?ij.F{c,a, n,j){K{u*{c, n)))) is the same function as Aj. F(c,a, n + l,j). 



^The following is an informal explanation of the formula (16) expressing iterated updates. The point is to recognize whether a given 
cell j has been over- written or not within the first y iterations. The number t a (c, 7 ) gives the candidate number of iterations needed to 
get j and the further condition j = fi'(,(u*(c, Li,{c,j))) checks whether this number is correct or not. Take for instance Example 5.2 with 
n = 2. Then if we have a single counter initialized to say 4, our iterations give values 4 + 2, 4 + 2 + 2, . . . for the updated counter. If we 
want to know whether j can be reached within less than 5 iterations, we just compute t (4, 7 ) which is the quotient of the integer division 
of J —4 by 2. The we need to check that t(4,j) is among 0, ...,4 = 5—1 and also that j can be really reached from c = 4 by adding 2 to it 
t(4,7')-times (the latter won't be true if j is odd). 
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Indeed statement (i) is trivial, because u(u*(c, n)) — u(u"(c)) — u"+i(c) — u*(c, n + l) holds by (7). 
To show (ii), it is sufficient to check that 

a(;c(u*(c, «))) = A;. F(c,a, n,i){K[u*ic,n])) (17) 

is true. In turn, this foUows from (16) and the validity of the following implications (varying h — l,...,s) 

Lhic,j)^n -^ j^Khiu*ic,n)) (18) 

(in fact, fl/i and F;, can possibly differ only for the j satisfying < ihicj) < h, i.e. in particular for the j 
such that ihiCyj] / n). To see why (18) is valid, notice that in view of (8), what (18) says is that we cannot 
have simultaneously both Li,{c,j) — ~n and Lh[c,j) — m,foi some m^n: indeed it is so by the definition of a 
function. 

It remains to prove (iii); in view of (17) just shown, we need to check that 

wr(A7. F(c, a, n,7), K-(u*(c, «)), t(u*(c,7z), a(K'(u*(c, «))))) 



is the same as A; . F(c, a, « + 1 , 7 ) . For every h — 1 , . . . , s , this is split into three cases, corresponding to the 
validity check for the three implications: 



ih[c,i) <n^ wriXj. F;,(c, a, nj], k;,(u*(c, n)), ih)ij] = F;,(c, a,n + l,j) 



ih[c,j] =n^ wriXj. F;,(c, a, n,j), Kh{vL*[c, n)), ih)ij] = F;,(c, a,n + l,j) 



ih[c,j] >n^ wriXj. F;,(c, a, nJ], Khiu*{c, n)), ih)ij] = F;,(c, a,n + l,j) 

where we wrote simply in instead of ih{u*{c,~n),a{K[u*[c,~n))]). However, keeping in mind (18) and (14), the 
three implications can be rewritten as follows (the second one is split into two subcases) 



ihicj) <n^ Fh(c,a, n,j) = Fft(c,a, n + l,j) 



ih(c,j) =n/\j^ Kh{u*{c,Lh{c,j)])^ th = Fft(c,a, n + l,j) 



ih{c,i) ^nhj^ Kh{vL*{c,Lh{c,i)))-^ Fh[c,a, n,j) = Fhica, n + 1,;) 



ih{c,j)> n^ Fh{_c,a,n,j)-Fh{c,a,n + \,j) 

The above four implications all hold by the definitions (16) of the Fh. 

Proof of Theorem 6.1 (continued). As a consequence of the Claim, since the formula 



/\ <^i(u*(c, fc), d, a(;c(u*(c, k])], a[d]) 



0<J;<n 

is equivalent to \/z{0<z<n—> 0i(u*(c, z),d,a(7c(u*(c, z))),a[d]), we can use (13) to express t+ as 

^ _^ rVz(0<z<y^(^i(u*(c,z),d,a(K(u*(c,z))),a[d])Ad' = dA^ ^^^^ 

I Apc — lh pc' — I A c' = u*(c,y) A a' — Pij. F{c,a,y,j)J 



The latter shows that t+ is a E" -assignment, as desired. 



D 



B A worked out example 

Simple assignements might not be sufficient for nested loops where an array is scanned by a couple of coun- 
ters, one of which is kept fixed (think for instance of inner loops of sorting algorithms). To cope with these 
more complicated cases, we introduce a larger class of assignments (these assignments are still local, hence 
covered by Theorem 6.1). We call simple+ the ground assignments of the form 

pc-l A 0L(c,d,a) A pc' = / Ac' = c±l Ad' = d A a' = wr(a,c,t(c,d,a)) (20) 

where (i) A — di,...,di is a tuple of integer constants, (ii) the first occurrence of c in w r(a, c, t(c, d, a)) stands 
for a tuple of terms all identical to c, (iii) the guard 0l contains the conjuncts c / di (I < i < I), and (iv) 
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01, t are purely arithmetical over c,d,ai[c],...as[c],ai[di],...,as[di]. Basically, simple+ local ground as- 
signments differ from plain simple ones just because there are some 'idle' indices d; in addition, the counter 
c can also be decremented. 

The accelerated transition for (20) computed by Theorem 6.1 can be re-written as follows (we write j e 
[c,c±A;] fore <7<c + fcorc — A:<7<c, deAlpending on whether we have increment or decrement in (20)): 

f k>0 A pc-l A V; (je [c,c±A;]^0L(7,d,a)) A pc' = / A d' = d A^ 
\^ Ac' = c±A;A a' — Xj.{if j e [c,c±A;] thent(7,d,a) else a[j])J 

To show how acceleration and abstraction/refinement techniques can mutually benefit from each other, 
consider the procedure allDif f , represented by the all dijf 2 entry in Tablel. This function tests whether 
all entries of the array a are pairwise different: 

function allDif f ( int a[N] ) : 

1 r = true; 

2 for(i = l; i<NAr;i+-|-) 

3 for(j=i-l;j>OAr;j-) 

4 if (a[i]=a[j]) r = false; 

5 assert (r -^ (Vx,y (0 < x < y < N) ^ (a[jc] / a[y ]))) 

This function is represented by the transition system specified below (in the specification, we omit identical 
updates to improve readability). 

7(v)= (r = OAi = lAj=OApc = /i) 

U{v) = pc — /4 A3x,y. (0<x <y <a.LengthAfl[x] = a[y]) 
' pc — li/\±< a.LengthAr = A^ 



T2 = 



T3^ 



T4: 



T5 = 



T6^ 



T7 = 



T8 = 



pc' -kAj' -±-l 

pc — liA±> a.Length A 

pc' — 14 

pc — liAr — lA 

pc' — 14 

pc^hh 

pc' -hM.' -l + l 

pc — l2Ar — 0/\j >OAa[i] = a[j] A 

pc' -Iz^y -j -lAr = l 

pc = /2Ar = 0Aj>0Aa[i]/a[j]A 

pc' = /2Aj' = j-l 

pc — h^j < A 

pc'^h 

pc — lzAr — lA 

pc'^h 



For this problem, the transition we want to accelerate is Zg. Accelerating transition Tq is not sufficient to 
avoid divergence caused by the outer loop, though. On the other side, accelerating the inner loop simplifies 
the problem, which can be successfully verified by the model checker by exploiting abstraction/refinement 
techniques in 1.36 seconds (see Tablel for more details). 

The acceleration of transition Tg requires simple-|--assignements (implemented in the current release of 
mcmt). We follow MCMT implementation quite closely to explain what happens. 

As a first observation, mcmt specification language requires that whenever two counters i and j both 
occur in array applications fl[i],a[j] (like in Te above), the guard of the transition must contain either the 
literal i = j or the literal i / j . Thus such transitions must be duplicated; in our case, the copy of Te with 
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i = j can be ignored because it has an inconsistent guard. The copy with It^j in the guard satisfies the 
conditions for being a simple+- assignment. Thus, its acceleration, according to (21), can be written as 

jj^fk>0 A V7(7e[j,j±A;]^i/7Ar = OA7>OAa[i]/fl[7])A 
\^ Apc = 2Apc' = 2Ai' = iAr' = rAj' = j±fcAa' = a 

In the current release, mcmt is able to compute by itself the above accelerated transition and thus to certify 
safety ofallDiff procedure. 

C Experimental evaluation 

Complete statistics for the experiments performed with mcmt are reported in Table 1. Benchmarks have been 
taken from different sources: 

• The benchmarks "filter test", "max in array test", "filter", "max in array 1 ", "max in array 2", "max in array 
3" havebeen taken and/or adapted from programs on http : //proval . Iri . f r/. 

• The "heap as array" program has been suggested by K. Rustan M. Leino and it is reported in Figures. 

• all the programs pN have been taken from "I. Dillig, T. Dillig, and A. Aiken. Fluid updates: Beyond 
strong vs. weak updates. InESOP, pages 246-266, 2010." 

• The "bubble sort" example comes from the "Eureka" project http : / /www .ai-lab. it/eureka 
and has been used as a benchmark in the paper "A. Armando, M. Benerecetti, and J. Mantovani. Ab- 
straction refinement of linear programs with arrays. In TACAS, pages 373-388, 2007." 

• "all diff 1 " and "all diff 2" have been suggested by Madhusudan Parthasarath and his group. They repre- 
sent two different encoding of an algorithm that initializes an array to different values and then check 
if the array has been correctly initialized. 

• "compare", "copy", "find 1", "find 2", "init", "init test", "partition" have been taken/adapted from "Krystof 
Hoder, Laura Kovacs, Andrei Voronkov: Interpolation and Symbol Elimination in Vampire. In IJCAR, 
pages 188-195, 2010". 

• The "linear search" program is used as a running example on the book "Aaron R. Bradley, Zohar Manna: 
The calculus of computation - decision procedures with applications to verification. Springer 2007, pp. 
I-XV; 1-366". 

• "selection sort" example has been used in "M. N. Seghir, A. Podelski, and T Wies. Abstraction Refine- 
ment for Quantified Array Assertions. InSAS, pages 3-18, 2009." 

• "strcmp", "strcpy" and "strlen" have been adapted from the standard string C library. 

The benchmarks named with " * test " refer to benchmarks with quantified assertions substituted by a for 
loop. For those programs, the postcondition does not have quantifiers: in these benchmarks it is even harder 
to come up with a quantified safe inductive invariant to prove that the program is correct. Thus, it is a re- 
markable fact that our tool can automatically synthetize such invariants. 
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Program 


Status 


No OPTIONS 


Abstraction 


Acceleration 


Accel 


+ ABSTR. 


filter test 


safe 


X 


0.08 


X 


0.08 




heap as array 


safe 


X 


0.12 


X 


0.12 




init test 


safe 


X 


11.72 


X 


0.16 




max in array test 


safe 


X 


0.18 


X 


0.18 




pOl 


safe 


X 


X 


0.09 


9.08 




p02 


safe 


X 


X 


0.09 


9.52 




p03 


safe 


X 


0.11 


0.09 


0.14 




p08 


safe 


X 


0.12 


0.12 


0.11 




p09 


safe 


X 


0.12 


0.99 


0.11 




pl4 


safe 


X 


6.39 


0.35 


7.78 




pl7 


safe 


X 


0.02 


0.19 


0.19 




p04 


unsafe 


0.02 


0.03 


0.03 


0.02 




plO 


unsafe 


0.07 


0.04 


0.06 


0.03 




pll 


unsafe 


0.02 


0.03 


0.04 


0.04 




pl5 


unsafe 


1.4 


1.74 


0.3 


2.97 




pl6 


unsafe 


4.27 


3.70 


0.45 


8.89 




pl8 


unsafe 


0.01 


0.02 


0.01 


0.01 




pl9 


unsafe 


0.02 


0.02 


0.01 


0.01 




p20 


unsafe 


0.02 


0.02 


0.03 


0.02 




p22 


unsafe 


0.02 


0.03 


0.02 


0.17 




alldiffl 


safe 


X 


X 


0.08 


0.13 




alldiff2 


safe 


X 


X 


X 


1.36 




bubble sort 


safe 


X 


1.23 


X 


1.23 




compare 


safe 


X 


0.04 


X 


0.04 




copy 


safe 


X 


0.03 


0.03 


0.03 




filter 


safe 


X 


0.11 


X 


0.11 




findl 


safe 


X 


0.06 


X 


0.06 




find 2 


safe 


X 


0.07 


0.06 


0.17 




init 


safe 


X 


0.08 


0.03 


0.1 




linear search 


safe 


X 


0.04 


0.05 


0.02 




max in array 1 


safe 


X 


0.1 


X 


0.1 




max in array 2 


safe 


X 


0.11 


X 


0.13 




max in array 3 


safe 


X 


0.06 


X 


0.01 




minusN 


safe 


X 


X 


0.77 


1.4 




partition 


safe 


X 


0.05 


X 


0.03 




selection sort 


safe 


X 


7.87 


X 


45.07 




strcat 1 


safe 


X 


X 


X 


3.5 




strcat 2 


safe 


X 


X 


X 


3.62 




strcmp 


safe 


X 


0.04 


0.06 


0.02 




strcpy 


safe 


X 


0.03 


0.02 


0.01 




strlen 


safe 


X 


X 


0.1 


0.06 




pOl 


safe 


X 


0.08 


0.02 


0.1 




p02 


safe 


X 


0.08 


0.05 


0.1 




p03 


safe 


X 


0.03 


0.02 


0.03 




p08 


safe 


X 


0.03 


0.05 


0.03 




p09 


safe 


X 


0.03 


0.04 


0.03 




pl8 


safe 


X 


X 


0.07 


0.33 




p20 


safe 


X 


0.04 


0.05 


0.02 




p04 


unsafe 


0.07 


0.02 


0.01 


0.01 




pll 


unsafe 


0.01 


0.02 


0.02 


0.01 




pl4 


unsafe 


0.31 


1.79 


0.28 


2.5 




pl5 


unsafe 


0.09 


1.77 


0.12 


1.4 




pl6 


unsafe 


0.11 


2.97 


1.23 


6.57 




pl7 


unsafe 


0.02 


0.03 


0.01 


0.02 




pl9 


unsafe 


0.02 


0.02 


0.01 


0.01 





Table 1: Experimental results for different options. Time limit has been set to 60 seconds, and x denotes a timeout. 
Programs in the first part of the table are annotated with quantifier-free assertions, those in the second part have V- 
assertions. Notably, when abstraction and acceleration is combined mcmt is able to verify all the 55 programs. 
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var Heap: [int] int; 

const unique F: int; const unique G: int; 
const F_f inal: int; const G_f inal: int; 
procedure HeapP ( ) 

modifies Heap; 

requires F_f inal > A G_f inal > 0; 

ensures Heap[F] =F_f inalAHeap[G] = G_f inal; 

{ 
Heap[F] := 0; Heap[G] := G_f inal; 
while (Heap[F] < F_f inal) 
invariant Heap[F] < F_f inal; 

{ 
Heap[F] :=Heap[F] + l; 

} 
} 



Figure 3: The "heap as array" program. 
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